de.dariah.eu

DARIAH FIM experiences and plans

4th Federated Identity Management Workshop, Nijmegen, 21.-22.06.2012

Peter Gietz, DAASI International GmbH

peter.gietz@daasi.de

20 June 2012 2

Agenda

• DARIAH Intro• Current AAI set-up• Authorization• Web Services Integration• Current research

BTW: DAASI International GmbH is: – a small company specialized in Open Source

based (Federated) Identity Management– leads and performs the AAI activities in DARIAH

20 June 2012 3

DARIAH-EU

• DARIAH: Digital Research Infrastructure for the Arts and Humanities

• One of the few ESFRI projects for the humanties• Planing phase as EU funden project• In the current construction phase most of the work is

done in national projects

20 June 2012 4

Basic Structure of DARIAH

VCC 1e-Infrastructure

VCC 3Scholarly Content

Management

VCC 2Research and

Education

VCC 4Advocacy

20 June 2012 5

VCC1 e-Infrastructure [Germany / Austria]… to establish a shared technology platform for A+H

researchVCC2 Research and Education [Ireland / Denmark]

… to expose and share researcher's knowledge, methodologies and expertise

VCC3 Scholarly Content Management [France / Netherlands]... to expose and share scholarly content

VCC4 Advocacy, Outreach, and Impact [currently @DCO]... to interface with key influencers in/for A+H

e-Infrastr.VCC

Research &

EducationVCC

ScholarlyContent

VCC

Virtual Competency Centres

AdvocacyVCC

20 June 2012 6

Forschung und Lehre

Forschungs-datene-Infrastruktur

Advocacy

VCC e-Infrastructure

VCC Advocacy VCC Researchand Education

VCC Scholarly Content

Management

Liaison education

et recherche

e-infrastructure

Promotionet diffusion

Research and

Education

Scholarly Content

Management

Research and

Education

ScholarlyContent

Management

e-Infra-structure

AdvocacyResearch

and Education

ScholarlyContent

Management

e-Infra-structure

Advocacy

DARIAH-FR

DARIAH-IE

… weitere Länder DARIAH-nn …

DARIAH-EU

Forschungund Lehre

Forschungs-daten

e-Infra-struktur

Advocacy

DARIAH-AT

Managementdes

contenus

Advocacy

e-Infrastructure

20 June 2012 7

• 17 Partner• 7 Universities• 4 Computing centers• 1 Bibliothek• 1 Academie of Science• 1 commercial Partner• 3 Research institutes

DARIAH-DE Consortium

20 June 2012 8

AAI

VCC1 e-Infrastructure

Hardware

VM Hosting

Service Hosting

BitstreamPreservation

SoftwareInteroperability

ProvenanceConceptIssue Tracking

Version Control Archive-in-a-Box

Facetted Search

Reference Dataand Services

ContinuousIntegration

Wiki / WebDAV

SchemaRegistry

CollectionRegistry

Guidelines

Responsibilitiesand Contacts

PID

20 June 2012 9

Current AAI set-up

A first version of an AA infrastructure (AAI) has been deployed, based on two standards:• LDAP

– for authentication and authorization attributes – deploying Open Source Software OpenLDAP

• SAML – for AAI within a federation – including Web Single Sign-On feature– deploying Open Source Software Shibboleth

20 June 2012 10

Current AAI set-up

• OpenLDAP provider server – Web-based password reset tool– Web-based administration tool, including group

management– LDAP-based Applications like Jira can use it as

authentication and authorization server• OpenLDAP replica server

– contains all data of the OpenLDAP provider– a Shibboleth Identity provider is connected to it– DARIAH Services are being „shibbolized“

20 June 2012 11

Current AAI set-up

20 June 2012 12

Authorization

• Options:1.store authZ info decentralized in campus IDMs,

and do authZ locally in the SP / application based on that attributes

2.store authZ info centrally and let application call-out to a central PDP

3.a mixture: store authZ info centrally but let SP / application decide upon access

• DARIAH: Keep it simple and first go with 3), perhaps later with 2), leveraging the openRBAC system from the TextGrid project.

20 June 2012 13

Authorization

20 June 2012 14

Authorization

• No change to campus IdPs• Standard Shibboleth SP to protect applications, however

with special configuration:– aggregates attributes from campus IdP and

DARIAH IdP– require miminum set of attributes, otherwise

redirect to registration application at DARIAH SP

20 June 2012 15

Authorization

• DARIAH LDAP with authZ groups managed by admin portal

• DARIAH IdP gets data from DARIAH LDAP and releases both user attributes and entitlements (based on groups) to SPs

• Central Registration SP writes manually completed user attributes to central LDAP

20 June 2012 16

External PDP in TextGrid

OpenRBACArchitecture

20 June 2012 17

External PDP in TextGrid

20 June 2012 18

Shibboleth and SLCs

20 June 2012 19

WebSSO vs. ECP

20 June 2012 20

Web Service integration• Easy to build basic single-tier profile with Shibboleth

– Actors are: subject/client, IdP and SP– This basic use case needs a special ECP client, but

no modifications for current IdPs and SPs• However, multi-tier delegation (e.g. portal → service) is

much more difficult with Shibboleth:– Actors: subject/client, IdP, portal SP, service SP, ...– More profiles than just ECP– Special IdP extension to be compiled and configured– Extra configuration at each IdP for which portal may

access which service

20 June 2012 21

ECP Adoption

• ECP Binding in SAML2 Metadata: SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"

• DARIAH IdP is/was the only IdP in the DFN-AAI that advertizes ECP binding

– could be because DFN-AAI directory did not support that profile until recently

– Within a federal State in Germany, ECP is currently being evaluated for production use

• Substantial amount of IdPs support it in principal (included since Shibboleth IdP v2.3)

20 June 2012 22

ECP Adoption

• Our survey of the federation metadata of all the European SAML-based federations mentioned as members of eduGain found only advertize ECP binding of:

– DFN-AAI– two IdPs in the UK

20 June 2012 23

OAuth2

• Simpler implementation for clients, pure HTTP(S) and JSON• Authorization Server could be shared for multiple resource

servers → presumably less implementation effort on the resource side

• Allows for delegation• SAML IdPs can be connected via SAML Bearer Token• Access and Refresh Token instead of login/password• Natively uses OpenID Connect for AuthN (and other

mechanisms possible, instead of SAML, if needed)• pushed by the industry, so probably better bet in the future?

20 June 2012 24

Thanks for your Attention!

• Questions?

• DARIAH– www.dariah.eu

• TextGrid– www.textgrid.de

• DAASI International– www.daasi.de– info@daasi.de